Bug 990321 (CVE-2013-4482)

Summary: CVE-2013-4482 luci: paster hidden untrusted path and "command" (callable association) injection
Product: [Other] Security Response Reporter: Jan Pokorný [poki] <jpokorny>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: fdinitto, jkurik, jpokorny, rmccabe, rsteiger, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the way the luci service was initialized. If a system administrator started the luci service from a directory that was writable to by a local user, that user could use this flaw to execute arbitrary code as the root or luci user.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2013-11-21 14:25:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1005385    
Bug Blocks: 974906, 990750    

Comment 12 Tomas Hoger 2013-10-30 12:01:11 UTC 
The luci uses python-paste-script / paster to start serving its web application.  paster searches current working directory and parent directories of CWD for python *.egg-info files or directories.  These are used to define additional commands recognized by the paster script, or to add additional paths to sys.path for the started web application.  luci failed to force safe CWD to compensate for this feature of paster.  If system administrator started luci service while in untrusted directory (e.g. in /tmp), a local user with write permission to the directory could use this flaw to execute arbitrary code with root or luci user privileges.

This issue was addressed by changing service init script to change current working directory before starting luci.

Acknowledgements:

This issue was discovered by Jan Pokorný of Red Hat.
Comment 13 Tomas Hoger 2013-11-20 19:01:18 UTC 
Lifting embargo.
Comment 14 errata-xmlrpc 2013-11-21 10:33:38 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2013:1603 https://rhn.redhat.com/errata/RHSA-2013-1603.html